Transcript Slide 1

Technology in Medicine
Conference on Medical Device Security
Overview of
Medical Devices and
HIPAA Security Compliance
Wednesday, March 9, 2005
Stephen L. Grimes, FACCE
Chair, Medical Device Security Workgroup
Healthcare Information and Management Systems Society (HIMSS)
Senior Consultant & Analyst
GENTECH
Medical Device Security:
Is this just a HIPAA issue?
NO! …. Even if HIPAA were thrown out,
Medical Device Security is a necessity …
not just a regulation
Medical device security … particularly data
integrity & data availability … is critical to
healthcare quality, timeliness, and costeffectiveness
Today, a reasonable standard of care cannot
be maintained without an effective an
Information Security Management Program
in place that includes biomedical technology
March 9, 2005
© HIMSS / ACCE / ECRI ~ 2
HIPAA’s Security Rule
Implications for Biomedical
Devices & Systems
Security Risks to Healthcare Technology
Make sure you are
addressing more than
the tip of the risk!
Risks to
Healthcare
IT Systems
D
Risks to
Biomedical
Devices &
Systems
The inventory of
biomedical devices &
systems in a typical
hospital is 3-4 times larger
than the IT inventory
March 9, 2005
© HIMSS / ACCE / ECRI ~ 4
Significant Medical Device Industry Trends
Medical devices and systems are being
designed and operated as special
purpose computers … more features are
being automated, increasing amounts of
medical data are being collected,
analyzed and stored in these devices
There has been a rapidly growing
integration and interconnection of
disparate medical (and information)
technology devices and systems
where medical data is being
increasingly exchanged
March 9, 2005
© HIMSS / ACCE / ECRI ~ 5
Information Technology Systems
Mission Critical
Activities, processing, etc., that are
deemed vital to the organization's
business success or existence. If a
Mission Critical application fails,
crashes, or is otherwise unavailable to
the organization, it will have a significant
negative impact upon the business.
Examples of Mission Critical
applications include accounts/billing,
customer balances, ADT processes, JIT
ordering, and delivery scheduling.
March 9, 2005
© HIMSS / ACCE / ECRI ~ 6
MISSION
Critical
Biomedical Technology Systems
Life Critical
Devices, systems and processes that
are deemed vital to the patient’s health
and quality of care. If a Life Critical
system fails or is otherwise
compromised, it will have a significant
negative impact on the patients health,
quality of care or safety.
Examples of Life Critical systems
include physiologic monitoring, imaging,
radiation therapy, and clinical laboratory
systems.
March 9, 2005
© HIMSS / ACCE / ECRI ~ 7
Life
Critical
Major Differences in Risk
Between IT & Biomedical Systems
IT Systems
MISSION
Critical
Medical Devices & Systems
Life
Critical
March 9, 2005
© HIMSS / ACCE / ECRI ~ 8
HIPAA’s Security Rule
Implications for Biomedical Technology
Standalone
with ePHI
March 9, 2005
© HIMSS / ACCE / ECRI ~ 9
HIPAA’s Security Rule
Implications for Biomedical Technology
Both Standalone
March 9, 2005
and
Networked Systems
with ePHI
© HIMSS / ACCE / ECRI ~ 10
HIPAA’s Security Rule
Implications for Biomedical Technology
Why is security an issue for biomedical technology?
Because compromise in ePHI can affect
Integrity or Availability … can result in improper
diagnosis or therapy of patient resulting in harm
(even death) because of delayed or inappropriate
treatment
Confidentiality … can result in loss of patient
privacy … and, as a consequence, may result in
financial loss to patient and/or provider organization
March 9, 2005
© HIMSS / ACCE / ECRI ~ 11
HIPAA’s Security Rule
Overview of
Compliance Process
HIPAA’s Security Rule
Compliance Overview
Information
Security
Management
(ISM)
Program
March 9, 2005
Risk
Analysis &
Management
Plan
(RAMP)
© HIMSS / ACCE / ECRI ~ 13
HIPAA’s Security Rule
Compliance Overview
Establish effective Info Security Management (ISM) program:
1) Assign security official &
establish information security committee
2) Develop necessary policies
as per security standards
3) Develop necessary procedures,
physical/technical safeguards
as per implementation specifications
4) Implement Policies/procedures,
Business associate agreements,
Educate workforce &
Install/Configure security “tools”
5) Test implementation
6) Integrate security measures
into organization-wide program
March 9, 2005
© HIMSS / ACCE / ECRI ~ 14
Increasing
Levels of
Program
Effectiveness
Policies
Procedures
Implementation
Testing
Integration
GOAL:
HIPAA Compliance &
an Effective Info Security Program
HIPAA’s Security Rule
Compliance Overview
Clinical
Engineering
Information
Security
Official
representatives
of
Information
Services /
Information
Technology
device users
(i.e., clinical
staff)
Facilities
Engineering
Staff
Education /
Inservice
Information Security
Committee
Materials
Management /
Purchasing
Human
Resources
Quality
Assurance
Administration
Risk
Management
Core
Members
Compliance
Officer
Ad Hoc
Members
Privacy
Official
© slgrimes
March 9, 2005
© HIMSS / ACCE / ECRI ~ 15
HIPAA’s Security Rule
Compliance Overview
Establish Risk Analysis/Management Plan (RAMP):
1) Conduct inventory (identify sources of ePHI)
and survey current security practices & resources
2) Identify and Assess Security Risks
3) Establish Priorities
4) Determine Security Gap (i.e., need for additional
safeguards) following “best practices” and Security
Rule’s Standards and Implementation Specifications
5) Formulate/Implement Plan for Risk Mitigation
Process incorporating Risk-based Priorities
6) Test & Measure Effectiveness of Risk Mitigation
Process (Improving as Necessary)
March 9, 2005
© HIMSS / ACCE / ECRI ~ 16
Compliance Overview
Risk Analysis/Management
1) Conduct Inventory
Identify biomedical devices & systems that
maintain and/or transmit ePHI
For each affected device/system, determine:
Types of ePHI
Who has access & who needs access
Description of any connections with other
devices
Types of security measures currently employed
New!
March 9, 2005
HIMSS Manufacturers Disclosure Statement for Medical Device Security (MDS2)
http://www.himss.org/asp/medicalDeviceSecurity.asp
© HIMSS / ACCE / ECRI ~ 17
Nov 8,
2004
Compliance Overview
Risk Analysis/Management
1) and Survey current security practices &
resources … to analyze existing processes
Policies & procedures
Training programs
Tools & security measures
March 9, 2005
© HIMSS / ACCE / ECRI ~ 18
Create/Input
ePHI
Maintain ePHI
Component,
Device, or
System
Keyboard
Transmit/Receive
ePHI
Disk
Hard Disk
Jane C. Doe
XXX XXX XXXX XXX
Tape
Memory
(e.g., RAM)
56K
INSERT THIS END
Imaging
- photo
- medical image
Disk
PCMCIA
Scanning
- bar code
- magnetic
- OCR
Digital
Memory Card
Optical disk,
CD-ROM,
DVD
Tape
Digital
Memory Card
Voice
Recognition
March 9, 2005
56K
PCMCIA
Biometrics
INSERT THIS END
Optical disk,
CD-ROM,
DVD
© HIMSS / ACCE / ECRI ~ 19
Wired Networks
Private or Public,
Leased or Dialup lines, Internet
Wireless
Networks
Compliance Overview
Inventory of Devices/Systems
Physiologic Monitor
where ePHI may consist of patient
identifying information and the
following data:
–
–
–
–
–
–
–
ECG waveform
Blood pressure
Heart rate
Temp
O2 Saturation
Respiration
Alarms
March 9, 2005
© HIMSS / ACCE / ECRI ~ 20
Compliance Overview
Inventory of Devices/Systems
Infusion pump
where ePHI may consist of
patient identifying information
and the following data:
– Flow Rate
– Volume delivered
– Alarms
March 9, 2005
© HIMSS / ACCE / ECRI ~ 21
Compliance Overview
Inventory of Devices/Systems
Ventilator
where ePHI may consist of
patient identifying information
and the following data:
– Flow Rate
– Volume Delivered
– Respiration
(Breaths Per Minute)
– O2 Saturation
– Alarms
March 9, 2005
© HIMSS / ACCE / ECRI ~ 22
Compliance Overview
Inventory of Devices/Systems
Laboratory analyzer
where ePHI may consist of
patient identifying information and the
following data :
Blood related
-
Hemoglobin
Glucose
Gas
pH
Electrolyte
Urine related
- Albumin
- Creatinine
- Bilirubin
March 9, 2005
© HIMSS / ACCE / ECRI ~ 23
Compliance Overview
Inventory of Devices/Systems
MRI, CT Scanner, Diagnostic Ultrasound
where ePHI may consist of patient identifying information
and the following data :
– Image
March 9, 2005
© HIMSS / ACCE / ECRI ~ 24
A va ila b ility
C o nfid e n tia lity
H ig h
Compliance Overview
M ed iu m
Low
M ed ic al D e vice /S yste m w ith
e le ctro n ic P ro te cte d H e alth In form a tio n
Risk Analysis/Management
2) Assess risk with respect
to confidentiality, integrity, availability:
Criticality
Categorize level of risk/vulnerability (e.g.,
high, medium, low) to CIA
Probability
Categorize the likelihood of risk (e.g.,
frequent, occasional, rare) to CIA
Composite Score for Criticality/Probability
March 9, 2005
© HIMSS / ACCE / ECRI ~ 25
Taking into account Criticality:
Assess Risk associated with compromises to Integrity of ePHI
Central Station
Patient
Clinician with
Authorized Access
Data
Actual
Maintained/
Transmitted
Patient ID
7813244
7813254
Heart Rate
60 bpm
35 bpm
Blood Pressure
120/80 mmHg
90/50 mmHg
Temp
98.6º F
89.6º F
SpO2
92%
92%
March 9, 2005
© HIMSS / ACCE / ECRI ~ 26
Integrity
Physiologic
Monitor
Taking into account Criticality:
Assess Risk associated with compromises to Availability of ePHI
Central Station
Physiologic
Monitor
Data
Actual
Maintained/
Transmitted
Patient ID
7813244
XXXXX
Heart Rate
60 bpm
XX bpm
Blood Pressure
120/80 mmHg
XXX/XX mmHg
Temp
98.6º F
XX.Xº F
SpO2
92%
XX%
March 9, 2005
© HIMSS / ACCE / ECRI ~ 27
Availability
Clinician with
Authorized Access
Integrity
Patient
Taking into account Criticality:
Assess Risk associated with compromises to Confidentiality of ePHI
Central Station
Clinician with
Authorized Access
Actual
Maintained/
Transmitted
Patient ID
7813244
7813244
Heart Rate
60 bpm
60 bpm
Blood Pressure
120/80 mmHg
120/80 mmHg
Temp
98.6º F
98.6º F
SpO2
92%
92%
March 9, 2005
© HIMSS / ACCE / ECRI ~ 28
Availability
Data
Integrity
Unauthorized
Access
Confidentiality
Patient
Physiologic
Monitor
Assessing Criticality of Risk Associated with
Biomedical Devices/Systems with ePHI
Impact on Patient
Impact on Organization
RISK
LEVEL
Potential degree to
which health care
would be adversely
impacted by
compromise of
availability or
integrity of ePHI
Potential degree to
which privacy
would be adversely
impacted by
compromise of
confidentiality of
ePHI
Potential degree
to which
interests would
be adversely
impacted by
compromise of
confidentiality,
availability or
integrity of ePHI
Potential
financial
impact
Potential
legal
penalties
Likely
corrective
measures
required
High
Serious impact to
patient’s health
(including loss of life)
due to:
 misdiagnosis,
 delayed diagnosis or
 improper, inadequate or
delayed treatment
Could identify patient
and their diagnosis
Extremely grave
damage to
organization’s
interests
Major
$1,000K
Imprisonment
and/or large
fines
Legal
Medium
Minor impact to patient’s
health due to:
 misdiagnosis,
 delayed diagnosis or
 improper, inadequate or
delayed treatment
Could identify patient
and their health
information (but from
which a diagnosis could
not be derived)
Serious damage
Moderate
$100K
Moderate
Fines
Legal
Low
Minor Impact
Could identify patient
Minor damage
Minor
$10K
None
Administrative
March 9, 2005
© HIMSS / ACCE / ECRI ~ 29
Assessing Probability of Risks Associated with
Biomedical Devices/Systems with ePHI
Frequent
Likely to occur (e.g., once a month)
Occasional
Probably will occur (e.g., once a year)
Rare
Possible to occur (e.g., once every 5 -10 years)
March 9, 2005
© HIMSS / ACCE / ECRI ~ 30
Assessing Criticality & Probability of Risks associated
with Biomedical Devices/Systems with ePHI
Probability
Determining the
Criticality/Probability
Composite Score
Criticality
March 9, 2005
Rare
Occasional
Frequent
High
3
6
9
Medium
2
4
6
Low
1
2
3
© HIMSS / ACCE / ECRI ~ 31
Compliance Overview
Risk Analysis/Management
3) Establish priorities
Use Criticality/Probability composite score
to prioritize risk mitigation efforts
Conduct mitigation process giving priority
to devices/systems with highest scores
(i.e., devices/systems that represent the
most significant risks)
March 9, 2005
© HIMSS / ACCE / ECRI ~ 32
Compliance Overview
Risk Analysis/Management
4) Determine security gap
Determine what measures are necessary to
safeguard data
Compare list of necessary measures with existing
measures identified during biomedical
device/system inventory process
Prepare gap analysis for devices/systems
detailing additional security measures necessary
to mitigate recognized risks (addressing
devices/systems according to priority)
March 9, 2005
© HIMSS / ACCE / ECRI ~ 33
Compliance Overview
Risk Analysis/Management
5) Formulate & implement mitigation plan
Formulate written mitigation plan
incorporating
additional security measures required
(i.e., policies, procedures, technical &
physical safeguards)
priority assessment, and
schedule for implementation
Implement plan & document process
March 9, 2005
© HIMSS / ACCE / ECRI ~ 34
Compliance Overview
Risk Analysis/Management
6) Monitor process
Establish on-going monitoring system
(including a security incident reporting
system) to insure mitigation efforts are
effective
Document results of regular audits of
security processes
March 9, 2005
© HIMSS / ACCE / ECRI ~ 35
Compliance Overview
Risk Analysis/Management
Prepare a Risk Mitigation Worksheet
1
2
3
4
5
Identify
ePHI
Identify & Assess Risks
Establish
Priorities
Determine
Gap
Formulate &
Implement Plan
6
Test & Measure Effectiveness of Plan
March 9, 2005
© HIMSS / ACCE / ECRI ~ 36
HIPAA’s Security Rule
Overview of Compliance Process
March 9, 2005
© HIMSS / ACCE / ECRI ~ 37
Questions?
Stephen L. Grimes, FACCE
[email protected]
Health Information and Management Systems Society
www.himms.org
American College of Clinical Engineering (ACCE)
www.accenet.org
ECRI
www.ecri.org